The FBI’s digital detective work not only brought down CIA Director David Petraeus, it also provided rare insights into the bureau’s latest methods for tracking people across cyberspace and the fight over government surveillance.

Petraeus resigned suddenly on Friday, citing an affair that was uncovered after FBI agents followed an electronic trail that eventually linked the former Army general to his biographer, Paula Broadwell. The explosive combination of sex and spies was only embellished by the details of how federal officials stumbled across the liaison.

“Anyone more alarmed by FBI snooping through a journalist's emails & investigating the sex life of CIA Dir. than who Petraeus was schtupping?” New Yorker Washington correspondent Ryan Lizza tweeted on Sunday. “FBI SPIED ON CIA DIRECTOR, WOMAN; EMAILS?” blared a headline on theDrudge Report.

The first round of e-mails was provided by a Florida woman who complained to the FBI after receiving anonymous threatening messages. According to The Wall Street Journal, investigators used “metadata footprints left by the e-mails” to determine where the messages were sent from and link the e-mails to Broadwell. Officials also checked what other e-mail accounts had been accessed from the same computer address, according to The New York Times.

It’s not clear how officials obtained that metadata, but if it involved cooperation from one or more e-mail service providers, a warrant may not have been needed under current law. Christopher Soghoian, an analyst with the American Civil Liberties Union, said location and basic identifying information traditionally have had the least protection under privacy laws and can often be gathered with a subpoena. “What this shows is that the government can get pretty far with just a subpoena,” he said. “This is extensive gumshoeing and lots of work for a threatening e-mail or two.”

Once officials had traced the messages to Broadwell, they used that information as probable cause to obtain a warrant to monitor her computer, The Journal reported. That led investigators to Gmail accounts used by Broadwell and Petraeus. Officials initially worried that the CIA director’s account had been compromised, but determined the messages had come from him. Officials told The Journalthat they never monitored Petraeus’ accounts.

Internet companies have reported an increasing tide of government requests. Google, for example, reported that it received more than 12,000 requests for user data from American government agencies last year. If investigators in the Petraeus case needed help from Google, they likely got it: The Internet giant said it complied with 93 percent of requests from U.S. agencies in 2011.

Privacy advocates and many Internet companies say the bar for obtaining private electronic information is far too low. “The government can compel the handover of e-mail stored at a ‘remote computing service’ with a so-called ‘D order’ without showing probable cause,” according to an explanation of digital privacy laws by the Electronic Frontier Foundation. “Nor does the government need a warrant if an e-mail message is older than 180 days. This low threshold to electronic messages is in stark contrast to the Fourth Amendment protections for physical letters.”

Most popular Internet-based e-mail services like Gmail, Hotmail, or Yahoo, as well as social networks like Facebook, could be considered remote computing services.

Senate Judiciary Chairman Patrick Leahy, D-Vt., has said he hopes to work on revisions to the 1986 Electronic Communications Privacy Act, which deals with government access to electronic communications.

“Updating these digital-privacy laws to address the realities of our time should not be a partisan issue,” Leahy said at a hearing in September. “Americans from all across our Nation — regardless of party affiliation or ideology — are impacted by the many new threats to their privacy in cyberspace.”

The proposed changes would include requiring a warrant for e-mail content, but would not apply those standards to records like location or other metadata.

“It’s very interesting that there are no proposals to protect metadata,” said ACLU legislative counsel Chris Calabrese. “The line between content and records has really started to blur. We haven’t really grappled with that, but we’re going to have to.”

FROM OUR SPONSORS

sponsored

JOIN THE DISCUSSION

By using this service you agree not to post material that is obscene, harassing, defamatory, or
otherwise objectionable. Although Nextgov does not monitor comments posted to this site (and has
no obligation to), it reserves the right to delete, edit, or move any material that it deems to
be in violation of this rule.

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

Data-Centric Security vs. Database-Level Security

Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.